b'                        U.S. Department of Agriculture\n\n                           Office of Inspector General\n                            Financial & IT Operations\n\n\n\n\n              Audit Report\n\nNational Finance Center\xe2\x80\x99s Controls Over Time\n            and Attendance Data\n\n\n\n\n                                  Report 11501-4-FM\n                                      October 2008\n\x0c                                UNITED STATES DEPARTMENT OF AGRICULTURE\n                                               OFFICE OF INSPECTOR GENERAL\n\n                                                    Washington, D.C. 20250\n\n\n\n\nOctober 29, 2008\n\nREPLY TO\nATTN OF:             11501-4-FM\n\nTO:                  Charles Christopherson, Jr.\n                     Chief Financial Officer\n                     Office of the Chief Financial Officer\n\nTHROUGH: Kathleen A. Donaldson\n         Audit Liaison Officer\n         Office of the Chief Financial Officer\n         Planning and Accountability Division\n\nFROM:                Robert W. Young\n                     Assistant Inspector General /s/\n                      for Audit\n\nSUBJECT:             National Finance Center\xe2\x80\x99s Controls Over Time and Attendance Data\n\n\nWe audited the National Finance Center\xe2\x80\x99s (NFC) controls over time and attendance (T&A)\npayroll information. This information is submitted by Federal agencies that contract with NFC to\nprocess salary payments for their employees. NFC feeds T&A information through two\nelectronic systems: (1) the Time and Attendance Validation System (validation system) and (2)\nthe Time and Attendance Online Suspense Correction and Document Addition System\n(correction system). NFC\xe2\x80\x99s validation system performs a series of automated checks to detect\nerrors (e.g., a full-time employee being credited with less than full-time hours). When it finds an\nerror, the validation system holds the employee\xe2\x80\x99s T&A data until NFC\xe2\x80\x99s staff resolves the error\nusing the correction system. Nothing came to our attention to indicate that employees\xe2\x80\x99 T&A\ninformation was not being processed correctly, but we did have concerns about potential\nvulnerabilities in NFC\xe2\x80\x99s security over access to that data, which were resolved during the course\nof our audit.\n\nIn general, we found that NFC did not ensure that access to employees\xe2\x80\x99 T&A data was restricted\nto only those personnel whose job required it. According to the National Institute of Standards\nand Technology (NIST),1 agencies must grant access to electronic information systems on a\nneed-to-know basis, and NFC\xe2\x80\x99s directives reinforce that employees will be authorized access\nonly to the resources they need to perform their job.2 However, we determined that NFC had\n\n1\n    NIST\xe2\x80\x99s Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, December 2006.\n2\n    NFC\xe2\x80\x99s Management and Administrative Directives Manual, Title VII, Chapter 11, Directive 27, \xe2\x80\x9cData Security Access Policy,\xe2\x80\x9d\n    March 2005.\n\nUSDA/OIG-A/11501-4-FM\n\x0cCharles Christopherson, Jr.                                                                                                2\n\n\ngranted agencies\xe2\x80\x99 personnel unnecessary access to T&A data. In addition, NFC had not\nrestricted its own staff\xe2\x80\x99s access to only those whose jobs required them to use the T&A\ncorrection system. Details follow:\n\nNFC should ensure that each agency only has access to its own T&A information. We found\nthat several agencies had inappropriate access to other agencies\xe2\x80\x99 data.3 For example, when the\nDepartment of Homeland Security (DHS) was created in 2003, NFC placed DHS employees\xe2\x80\x99\nT&A information in the same database used for the U.S. Department of Agriculture (USDA).\nNFC allowed staff who processed T&A data for each Department (i.e., timekeepers) access to\nthe other\xe2\x80\x99s information. Subsequently, NFC moved DHS\xe2\x80\x99 T&A information to another database,\nbut the two Departments retained dual access. We informed NFC about the issue, and,\nin July 2008, NFC required agencies to (1) ensure that their personnel did not have improper\naccess to other agencies\xe2\x80\x99 T&A data and (2) request that NFC remove any access privileges that\nwere no longer necessary or valid. These corrective steps addressed our concern.\n\nFurther, NFC had not removed agencies\xe2\x80\x99 access to a software program that transfers electronic\ninformation across storage mediums (e.g., from one computer hard drive to another).4 The\nprogram copies T&A data and then writes the information onto the new medium, which allows\nusers to make changes to the data during the copying process. The program is no longer used to\nmove T&A data because newer programs allow the agency to do so more securely, but it\nremained part of agencies\xe2\x80\x99 access privileges and so constituted a potential vulnerability. We\nraised the issue with NFC officials who removed the program in April 2007.\n\nWe also found that the training environment that NFC developed, to teach agencies\xe2\x80\x99 personnel\nhow to transmit T&A information, allowed them access to NFC\xe2\x80\x99s production systems rather than\nto a training environment. We were concerned that trainees were able to submit real T&A data\nduring training to NFC for payroll processing. NFC had written procedures requiring its staff to\nset up agency training environments without access to its T&A systems, but did not distribute the\nprocedures to its staff. Nothing came to our attention to indicate that trainees had accidentally or\npurposefully sent real data through NFC\xe2\x80\x99s T&A system, but we noted the potential vulnerability.\nNFC agreed with our assessment and removed their access privileges, and distributed the written\nprocedures prohibiting training access to actual T&A systems in April 2007.\n\nIn addition, NFC did not fully restrict access privileges for its own employees. NFC granted\nstaff in its personnel branch access to its T&A correction system. Since the personnel branch\nprocesses information for new employees, those staff members with access to the T&A\ncorrection system could both create a fictitious employee and then submit T&A information for\nthat employee, which would result in a payment being issued. Thus, personnel branch staff with\naccess to the T&A correction system constitutes a potential vulnerability that should be mitigated\n\n\n3\n  NFC also contracts with cross-servicing agencies, which themselves have contracts with other agencies to process their T&A\n  data before submitting it to NFC. In these cases, NFC has legitimately granted the cross-servicing agencies access to other\n  agencies\xe2\x80\x99 T&A information.\n4\n  The software program is an IBM mainframe utility program: IEBGENER.\nUSDA/OIG-A/11501-4-FM\n\x0cCharles Christopherson, Jr.                                                                                    3\n\nby segregating duties. Nothing came to our attention to indicate that NFC employees with\ninappropriate access created fictitious employees. However, NFC agreed to minimize the risk\nand, in August 2007, removed access from employees who did not need it to perform their job.\n\nInformation systems are required to track users\xe2\x80\x99 actions (i.e., record an audit trail). 5 However,\nNFC\xe2\x80\x99s T&A correction system did not track NFC staff that were working on a particular T&A\nrecord, or the nature of any changes that were made. NFC\xe2\x80\x99s procedures generally require its\nstaff to work with agencies to resolve the errors with employees\xe2\x80\x99 T&A data.6 NFC staff can both\ncorrect errors and initiate T&A records for agencies that request it. For example, agencies may\nask NFC to enter T&A data for employees who have missed NFC\xe2\x80\x99s cutoff date for submitting\nT&A data. The ability of NFC staff to change and create T&A information for agencies without\nan audit trail weakened NFC\xe2\x80\x99s control over the integrity of that data.\n\nNFC officials agreed that the lack of an audit trail was a potential vulnerability, but noted that\nredesigning the system would be cost prohibitive. To address the issue, NFC instituted controls\nto compensate for the lack of an audit trail in August 2007. Now, T&A records that are created\nin the correction system have a user identification that links to the employee that created them.\nThese actions are subject to supervisory review for records created for NFC staff, as well as\nother Office of the Chief Financial Officer employees. NFC also selects a sample of other\nagencies\xe2\x80\x99 corrected T&A records for review. We agree that these actions adequately mitigate the\nrisk.\n\nCombined, the weaknesses above constituted a security vulnerability that offered unauthorized\npersonnel the potential to inappropriately alter T&A data. Given NFC\xe2\x80\x99s actions to strengthen the\nsecurity of access to the validation and correction systems, we determined that its controls over\nT&A data were adequate.\n\nBACKGROUND\n\nFederal agencies contract with NFC to process their employees\xe2\x80\x99 T&A data. Every 2 weeks,\nagencies prepare a T&A record for the hours their employees worked and then transmit the\ninformation to NFC. Before using the data to process payments, NFC\xe2\x80\x99s validation system\nautomatically checks for errors, such as a T&A received for a separated employee. If the system\nfinds a problem, the individual\xe2\x80\x99s T&A data is sent to an error suspense file where it remains until\nit can be fixed in NFC\xe2\x80\x99s correction system. After T&A data passes all edits and is validated, it is\nthen processed through NFC\xe2\x80\x99s Pay Computation System (pay system). This pay system\ncomputes employees\xe2\x80\x99 gross pay, deductions, and adjustments to calculate net pay. In addition,\nthe pay system updates payroll/personnel information in NFC\xe2\x80\x99s database to reflect employees\xe2\x80\x99\nsalary payments and their used and accrued vacation hours and sick leave. In 2007, NFC\nprocessed salary payments of nearly $26 billion for about 600,000 employees who worked for\napproximately 140 agencies.\n\n\n\n5\n    NIST\xe2\x80\x99s SP 800-53, Recommended Security Controls for Federal Information Systems, December 2006.\n6\n    NFC\xe2\x80\x99s Payroll/Personnel Manual, Title I, Chapter 2, Section 1, \xe2\x80\x9cT&A Processing and TSUS,\xe2\x80\x9d December 1998.\nUSDA/OIG-A/11501-4-FM\n\x0cCharles Christopherson, Jr.                                                                     4\n\nOBJECTIVE\n\nThe objective of this audit was to assess NFC\xe2\x80\x99s controls over the input, processing, and output of\ndata processed through its T&A validation system (the Time and Attendance Validation System)\nand T&A correction system (the Time and Attendance Online Suspense Correction and\nDocument Addition System).\n\nSCOPE AND METHODOLOGY\n\nTo accomplish the audit objectives, we reviewed NFC\xe2\x80\x99s management and security controls over\nprocessing T&A data at NFC in New Orleans, Louisiana. Specifically, we:\n\n   \xe2\x80\xa2   Reviewed the Office of Management and Budget\xe2\x80\x99s requirements for controls over\n       electronic information systems; Federal Information Processing Standards requirements\n       for Federal information and Federal information systems; NIST\xe2\x80\x99s guidance; and relevant\n       USDA regulations and manuals.\n\n   \xe2\x80\xa2   Reviewed NFC\xe2\x80\x99s policies and procedures related to T&A data input, processing, and\n       output.\n\n   \xe2\x80\xa2   Interviewed key personnel at NFC about their adherence to applicable policies and\n       procedures, and the workings of their electronic information systems\xe2\x80\x99 controls.\n\n   \xe2\x80\xa2   Reviewed security access reports for January 2007 and T&A record files for the first\n       2007 Federal pay period (January 7 through 20).\n\n   \xe2\x80\xa2   Examined security access and T&A transactions using Audit Command Language (a\n       database analysis software program).\n\n   \xe2\x80\xa2   Discussed the issues we identified with NFC officials to understand their perspective.\n\n   \xe2\x80\xa2   Obtained NFC\xe2\x80\x99s agreement with our concerns and reviewed its corrective actions.\n\nWe performed fieldwork from January 2007 through July 2008.\n\nWe conducted this audit in accordance with generally accepted Government Auditing Standards.\nThese standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions.\n\n\n\n\nUSDA/OIG-A/11501-4-FM\n\x0cCharles Christopherson, Jr.                                                                  5\n\n\nCONCLUSION AND REQUIRED AGENCY ACTION\n\nAs discussed above, NFC implemented key improvements during our audit to restrict access to\nits T&A validation and correction systems, and NFC instituted a control mechanism to monitor\nits employees\xe2\x80\x99 actions in the correction system. Together, these actions strengthened NFC\xe2\x80\x99s\ncontrols over the two systems to minimize the potential for unauthorized access and unallowable\nchanges to T&A data. Accordingly, this report presents no recommendations, and no further\naction is required by your office.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\nreview.\n\n\n\n\nUSDA/OIG-A/11501-4-FM\n\x0c'